L6 Model Governance API
Layer 6 (L6) governs which AI models your organization uses, how they are accessed, what data classes they may process, and what they cost. L6 prevents shadow AI, enforces model allowlists, tracks agreement compliance (DPA/BAA), and provides cost governance.
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /l6/dashboard | Model governance dashboard stats |
| GET | /l6/registry/models | List registered models |
| POST | /l6/registry/models | Register a model |
| GET | /l6/registry/models/:id | Get model details |
| PUT | /l6/registry/models/:id | Update a model |
| DELETE | /l6/registry/models/:id | Remove a model |
| GET | /l6/policies | List MAP policies |
| POST | /l6/policies | Create a MAP policy |
| PUT | /l6/policies/:id | Update a MAP policy |
| DELETE | /l6/policies/:id | Remove a MAP policy |
| GET | /l6/audit | L6 audit trail |
| GET | /l6/shadow | Shadow detection events |
| GET | /l6/config | Get L6 configuration |
| PUT | /l6/config | Update L6 configuration |
| GET | /l6/connectors | List platform connectors |
| POST | /l6/connectors | Add a platform connector |
MAP Policy Types
| Type | Description |
|---|---|
MODEL_ALLOWLIST | Only permit inference to models explicitly registered and approved |
CHANNEL_ENFORCEMENT | Require all model access through approved channels (no direct API keys) |
AGREEMENT_REQUIRED | Block models that lack required legal agreements (DPA, BAA) |
DATA_CLASS_MODEL_MAP | Map data classifications to approved models (e.g., PII only to SOC 2 models) |
COST_GOVERNANCE | Set spending limits per model, per agent, or per time window |
GET /l6/dashboard
Get summary statistics for the L6 model governance layer.
Example Request
bash
curl -X GET https://api.thewardn.ai/l6/dashboard \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"total_models": 8,
"approved_models": 6,
"pending_models": 1,
"blocked_models": 1,
"active_policies": 5,
"shadow_detections_30d": 3,
"total_inferences_30d": 14832,
"cost_30d": {
"total_usd": 2847.50,
"by_model": [
{ "model_id": "claude-sonnet-4-20250514", "cost_usd": 1423.80, "inferences": 8921 },
{ "model_id": "gpt-4o", "cost_usd": 987.20, "inferences": 4156 },
{ "model_id": "claude-haiku", "cost_usd": 312.10, "inferences": 1422 },
{ "model_id": "mistral-large", "cost_usd": 124.40, "inferences": 333 }
]
},
"agreements": {
"dpa_coverage": "100%",
"baa_coverage": "75%",
"expiring_within_30d": 1
},
"connectors": {
"total": 2,
"healthy": 2,
"unhealthy": 0
}
}GET /l6/registry/models
List all registered AI models.
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
status | string | — | Filter by status: APPROVED, PENDING, BLOCKED |
provider | string | — | Filter by provider: anthropic, openai, google, mistral, meta, etc. |
page | integer | 1 | Page number |
limit | integer | 50 | Results per page |
Example Request
bash
curl -X GET "https://api.thewardn.ai/l6/registry/models?status=APPROVED" \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"models": [
{
"id": "mod_a1b2c3d4",
"model_id": "claude-sonnet-4-20250514",
"provider": "anthropic",
"model_version": "claude-sonnet-4-20250514",
"access_channel": "api",
"status": "APPROVED",
"cost_per_1k_input": 0.003,
"cost_per_1k_output": 0.015,
"dpa_signed": true,
"dpa_expiry": "2027-04-01T00:00:00Z",
"baa_signed": true,
"baa_expiry": "2027-04-01T00:00:00Z",
"data_classes_allowed": ["public", "internal", "confidential", "phi"],
"created_at": "2026-03-15T10:00:00Z",
"updated_at": "2026-03-15T10:00:00Z"
},
{
"id": "mod_e5f6g7h8",
"model_id": "gpt-4o",
"provider": "openai",
"model_version": "gpt-4o-2024-11-20",
"access_channel": "azure_openai",
"status": "APPROVED",
"cost_per_1k_input": 0.0025,
"cost_per_1k_output": 0.01,
"dpa_signed": true,
"dpa_expiry": "2027-01-15T00:00:00Z",
"baa_signed": false,
"baa_expiry": null,
"data_classes_allowed": ["public", "internal"],
"created_at": "2026-03-20T14:00:00Z",
"updated_at": "2026-04-05T09:00:00Z"
}
],
"total": 2,
"page": 1,
"limit": 50
}POST /l6/registry/models
Register a new AI model in the governance registry.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
model_id | string | Yes | Model identifier (e.g., claude-sonnet-4-20250514) |
provider | string | Yes | Provider name |
model_version | string | Yes | Specific version string |
access_channel | string | Yes | How the model is accessed: api, azure_openai, aws_bedrock, gcp_vertex, self_hosted |
status | string | No | Initial status (default: PENDING): APPROVED, PENDING, BLOCKED |
cost_per_1k_input | number | No | Cost per 1,000 input tokens (USD) |
cost_per_1k_output | number | No | Cost per 1,000 output tokens (USD) |
dpa_signed | boolean | No | Whether a Data Processing Agreement is in place |
dpa_expiry | string | No | DPA expiry date (ISO 8601) |
baa_signed | boolean | No | Whether a Business Associate Agreement is in place |
baa_expiry | string | No | BAA expiry date (ISO 8601) |
data_classes_allowed | array | No | Data classifications this model may process |
Example Request
bash
curl -X POST https://api.thewardn.ai/l6/registry/models \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model_id": "mistral-large-2",
"provider": "mistral",
"model_version": "mistral-large-2402",
"access_channel": "api",
"status": "PENDING",
"cost_per_1k_input": 0.002,
"cost_per_1k_output": 0.006,
"dpa_signed": true,
"dpa_expiry": "2027-06-01T00:00:00Z",
"baa_signed": false,
"data_classes_allowed": ["public", "internal"]
}'Example Response
json
{
"id": "mod_i9j0k1l2",
"model_id": "mistral-large-2",
"provider": "mistral",
"model_version": "mistral-large-2402",
"access_channel": "api",
"status": "PENDING",
"cost_per_1k_input": 0.002,
"cost_per_1k_output": 0.006,
"dpa_signed": true,
"dpa_expiry": "2027-06-01T00:00:00Z",
"baa_signed": false,
"baa_expiry": null,
"data_classes_allowed": ["public", "internal"],
"created_at": "2026-04-10T15:00:00Z",
"updated_at": "2026-04-10T15:00:00Z"
}GET /l6/registry/models/:id
Get full details for a registered model.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
id | string | Model registry ID |
Example Request
bash
curl -X GET https://api.thewardn.ai/l6/registry/models/mod_a1b2c3d4 \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"id": "mod_a1b2c3d4",
"model_id": "claude-sonnet-4-20250514",
"provider": "anthropic",
"model_version": "claude-sonnet-4-20250514",
"access_channel": "api",
"status": "APPROVED",
"cost_per_1k_input": 0.003,
"cost_per_1k_output": 0.015,
"dpa_signed": true,
"dpa_expiry": "2027-04-01T00:00:00Z",
"baa_signed": true,
"baa_expiry": "2027-04-01T00:00:00Z",
"data_classes_allowed": ["public", "internal", "confidential", "phi"],
"usage_30d": {
"inferences": 8921,
"input_tokens": 12450000,
"output_tokens": 3200000,
"cost_usd": 1423.80
},
"agents_using": ["agent_support_bot", "agent_sales_bot", "agent_onboarding"],
"created_at": "2026-03-15T10:00:00Z",
"updated_at": "2026-03-15T10:00:00Z"
}PUT /l6/registry/models/:id
Update a registered model's details.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
id | string | Model registry ID |
Example Request
bash
curl -X PUT https://api.thewardn.ai/l6/registry/models/mod_e5f6g7h8 \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"baa_signed": true,
"baa_expiry": "2027-06-01T00:00:00Z",
"data_classes_allowed": ["public", "internal", "confidential", "phi"]
}'Example Response
json
{
"id": "mod_e5f6g7h8",
"model_id": "gpt-4o",
"provider": "openai",
"model_version": "gpt-4o-2024-11-20",
"access_channel": "azure_openai",
"status": "APPROVED",
"cost_per_1k_input": 0.0025,
"cost_per_1k_output": 0.01,
"dpa_signed": true,
"dpa_expiry": "2027-01-15T00:00:00Z",
"baa_signed": true,
"baa_expiry": "2027-06-01T00:00:00Z",
"data_classes_allowed": ["public", "internal", "confidential", "phi"],
"created_at": "2026-03-20T14:00:00Z",
"updated_at": "2026-04-10T15:10:00Z"
}DELETE /l6/registry/models/:id
Remove a model from the registry. Any agents currently using this model will be blocked on their next inference attempt.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
id | string | Model registry ID |
WARNING
Removing a model from the registry will immediately block all agents from using it. Any in-flight requests will complete, but subsequent requests will be denied with an L6_MODEL_GOVERNANCE violation.
Example Request
bash
curl -X DELETE https://api.thewardn.ai/l6/registry/models/mod_i9j0k1l2 \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"deleted": true,
"id": "mod_i9j0k1l2",
"model_id": "mistral-large-2",
"agents_affected": []
}GET /l6/policies
List all MAP (Model Access Policy) policies.
Example Request
bash
curl -X GET https://api.thewardn.ai/l6/policies \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"policies": [
{
"id": "map_1a2b3c4d",
"type": "MODEL_ALLOWLIST",
"name": "Production Model Allowlist",
"config": {
"allowed_models": ["claude-sonnet-4-20250514", "gpt-4o", "claude-haiku"],
"enforcement": "DENY"
},
"active": true,
"created_at": "2026-03-15T10:00:00Z"
},
{
"id": "map_5e6f7g8h",
"type": "CHANNEL_ENFORCEMENT",
"name": "No Direct API Keys",
"config": {
"allowed_channels": ["azure_openai", "aws_bedrock", "api"],
"blocked_channels": ["direct_key", "browser_extension"],
"enforcement": "DENY"
},
"active": true,
"created_at": "2026-03-15T10:05:00Z"
},
{
"id": "map_9i0j1k2l",
"type": "AGREEMENT_REQUIRED",
"name": "BAA Required for PHI",
"config": {
"data_classes": ["phi"],
"required_agreements": ["baa"],
"enforcement": "DENY"
},
"active": true,
"created_at": "2026-03-15T10:10:00Z"
},
{
"id": "map_3m4n5o6p",
"type": "DATA_CLASS_MODEL_MAP",
"name": "PHI Only on BAA Models",
"config": {
"mappings": [
{ "data_class": "phi", "allowed_models": ["claude-sonnet-4-20250514"] },
{ "data_class": "confidential", "allowed_models": ["claude-sonnet-4-20250514", "gpt-4o"] },
{ "data_class": "public", "allowed_models": ["*"] }
],
"enforcement": "DENY"
},
"active": true,
"created_at": "2026-03-16T09:00:00Z"
},
{
"id": "map_7q8r9s0t",
"type": "COST_GOVERNANCE",
"name": "Monthly Spend Cap",
"config": {
"max_monthly_usd": 5000,
"per_agent_max_daily_usd": 200,
"alert_threshold_pct": 80,
"enforcement": "ESCROW"
},
"active": true,
"created_at": "2026-03-16T09:15:00Z"
}
],
"total": 5
}POST /l6/policies
Create a new MAP policy.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
type | string | Yes | Policy type (see MAP Policy Types table) |
name | string | Yes | Human-readable name |
config | object | Yes | Type-specific configuration |
active | boolean | No | Active on creation (default: true) |
Example Request — Cost Governance
bash
curl -X POST https://api.thewardn.ai/l6/policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "COST_GOVERNANCE",
"name": "Per-Agent Daily Limit",
"config": {
"per_agent_max_daily_usd": 100,
"alert_threshold_pct": 75,
"enforcement": "ESCROW"
},
"active": true
}'Example Response
json
{
"id": "map_u1v2w3x4",
"type": "COST_GOVERNANCE",
"name": "Per-Agent Daily Limit",
"config": {
"per_agent_max_daily_usd": 100,
"alert_threshold_pct": 75,
"enforcement": "ESCROW"
},
"active": true,
"created_at": "2026-04-10T15:20:00Z"
}PUT /l6/policies/:id
Update a MAP policy.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
id | string | MAP policy ID |
Example Request
bash
curl -X PUT https://api.thewardn.ai/l6/policies/map_7q8r9s0t \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"config": {
"max_monthly_usd": 8000,
"per_agent_max_daily_usd": 300,
"alert_threshold_pct": 80,
"enforcement": "ESCROW"
}
}'Example Response
json
{
"id": "map_7q8r9s0t",
"type": "COST_GOVERNANCE",
"name": "Monthly Spend Cap",
"config": {
"max_monthly_usd": 8000,
"per_agent_max_daily_usd": 300,
"alert_threshold_pct": 80,
"enforcement": "ESCROW"
},
"active": true,
"created_at": "2026-03-16T09:15:00Z",
"updated_at": "2026-04-10T15:25:00Z"
}DELETE /l6/policies/:id
Remove a MAP policy.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
id | string | MAP policy ID |
Example Request
bash
curl -X DELETE https://api.thewardn.ai/l6/policies/map_u1v2w3x4 \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"deleted": true,
"id": "map_u1v2w3x4"
}GET /l6/audit
Get the L6-specific audit trail for model governance events.
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
page | integer | 1 | Page number |
limit | integer | 50 | Results per page |
model_id | string | — | Filter by model ID |
event_type | string | — | Filter by event type: INFERENCE, REGISTRATION, POLICY_CHANGE, SHADOW_DETECTED |
Example Request
bash
curl -X GET "https://api.thewardn.ai/l6/audit?event_type=INFERENCE&limit=5" \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"records": [
{
"seq": 4821,
"timestamp": "2026-04-10T15:12:00Z",
"event_type": "INFERENCE",
"agent_id": "agent_support_bot",
"model_id": "claude-sonnet-4-20250514",
"channel": "api",
"data_class": "internal",
"input_tokens": 1240,
"output_tokens": 580,
"cost_usd": 0.0124,
"verdict": "ALLOW",
"policies_evaluated": 5,
"policies_fired": []
}
],
"total": 4821,
"page": 1,
"limit": 5
}GET /l6/shadow
Get shadow AI detection events. Shadow detections occur when TheWARDN identifies model usage that bypasses the governed channel.
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
page | integer | 1 | Page number |
limit | integer | 50 | Results per page |
resolved | boolean | — | Filter by resolution status |
Example Request
bash
curl -X GET https://api.thewardn.ai/l6/shadow \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"shadow_events": [
{
"id": "shd_x1y2z3",
"detected_at": "2026-04-09T11:22:00Z",
"source": "network_monitor",
"details": {
"destination": "api.openai.com",
"method": "POST",
"path": "/v1/chat/completions",
"agent_id": null,
"user_agent": "python-requests/2.31.0",
"source_ip": "10.0.1.47"
},
"model_detected": "gpt-4-turbo",
"channel": "direct_key",
"policy_violated": "CHANNEL_ENFORCEMENT",
"severity": "HIGH",
"resolved": false
}
],
"total": 3,
"page": 1,
"limit": 50
}DANGER
Shadow AI is the single biggest governance risk in enterprise AI deployments. Unregistered model usage bypasses all CHAM policies, audit trails, and compliance controls. Investigate shadow detections immediately.
GET /l6/config
Get the current L6 configuration.
Example Request
bash
curl -X GET https://api.thewardn.ai/l6/config \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"enabled": true,
"mode": "enforce",
"shadow_detection": true,
"cost_tracking": true,
"agreement_monitoring": true,
"default_enforcement": "DENY",
"updated_at": "2026-04-01T10:00:00Z"
}PUT /l6/config
Update the L6 configuration.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
enabled | boolean | No | Enable or disable L6 |
mode | string | No | enforce (block violations) or monitor (log only) |
shadow_detection | boolean | No | Enable shadow AI detection |
cost_tracking | boolean | No | Enable cost tracking |
agreement_monitoring | boolean | No | Enable DPA/BAA expiry monitoring |
WARNING
Setting mode to monitor will log violations but not enforce them. Use this only during initial rollout to understand your model usage patterns before switching to enforce.
Example Request
bash
curl -X PUT https://api.thewardn.ai/l6/config \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"mode": "enforce",
"shadow_detection": true
}'Example Response
json
{
"enabled": true,
"mode": "enforce",
"shadow_detection": true,
"cost_tracking": true,
"agreement_monitoring": true,
"default_enforcement": "DENY",
"updated_at": "2026-04-10T15:35:00Z"
}GET /l6/connectors
List platform connectors that feed model usage telemetry into TheWARDN.
Example Request
bash
curl -X GET https://api.thewardn.ai/l6/connectors \
-H "Authorization: Bearer YOUR_API_KEY"Example Response
json
{
"connectors": [
{
"id": "con_a1b2c3",
"platform": "azure_openai",
"name": "Azure OpenAI - East US",
"status": "HEALTHY",
"config": {
"resource_group": "ai-prod-eastus",
"subscription_id": "sub-***-redacted"
},
"last_sync": "2026-04-10T15:00:00Z",
"models_discovered": 3,
"created_at": "2026-03-20T10:00:00Z"
},
{
"id": "con_d4e5f6",
"platform": "aws_bedrock",
"name": "AWS Bedrock - us-east-1",
"status": "HEALTHY",
"config": {
"region": "us-east-1",
"account_id": "***-redacted"
},
"last_sync": "2026-04-10T14:55:00Z",
"models_discovered": 5,
"created_at": "2026-03-22T14:00:00Z"
}
],
"total": 2
}POST /l6/connectors
Add a new platform connector.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
platform | string | Yes | Platform type: azure_openai, aws_bedrock, gcp_vertex, openai |
name | string | Yes | Human-readable connector name |
config | object | Yes | Platform-specific connection configuration |
Example Request — OpenAI Direct
bash
curl -X POST https://api.thewardn.ai/l6/connectors \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"platform": "openai",
"name": "OpenAI Direct API",
"config": {
"api_key_ref": "vault://openai-prod-key",
"organization_id": "org-abc123"
}
}'Example Response
json
{
"id": "con_g7h8i9",
"platform": "openai",
"name": "OpenAI Direct API",
"status": "PENDING_VERIFICATION",
"config": {
"api_key_ref": "vault://openai-prod-key",
"organization_id": "org-abc123"
},
"last_sync": null,
"models_discovered": 0,
"created_at": "2026-04-10T15:40:00Z"
}TIP
Connector credentials are stored as vault references, never in plaintext. TheWARDN integrates with HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault for credential storage.